Encryption provides data security, using keys for encryption and decryption. Policies guide the use of the keys, data and software. Typically, a company (i.e., an enterprise) in an enterprise environment provides data security in the enterprise environment using keys generated and managed according to policies in the enterprise environment. If cloud services are used by the enterprise, typically a software as a service provider is responsible for data security in the cloud using keys generated and maintained by the software as a service provider, in accordance with policies controlled directly by the software as a service provider. These keys are generated and maintained in the cloud computing environment. Whether or not the cloud computing environment is a trusted environment is a decision enterprises face. Cloud service hosts may provide data security through setup of virtual private networks, using keys generated and maintained by the cloud service hosts, in accordance with policies controlled directly by the cloud service hosts. These keys are also generated and maintained in the cloud. Yet, there is a need in the art for a solution which would allow improvements in security, under more direct control by an enterprise.